The Five Factors of Authentication

Pretty much everyone today knows what a password is and has a password(s) for something or the other. We have relied on passwords to protect us for a long time. But passwords are not as hard to crack as one might think – and even easier given the state of hacking technology.

Jim Carrey as Ace Ventura Cracks a Password in Seconds

The time in which a password was a barrier between something valuable to you and someone who shouldn’t have access to it is at an end. Or, at least, the time in which passwords were the only barrier are…

Technology has evolved both for professional hackers as well as on the side of those that might try to protect you from said criminals. Cybercriminals have developed advanced hacking tools and methods that can break a simple password – no matter what it is – in a matter of minutes. So how has security technology improved to respond to this?

The answer doesn’t lie in strengthening passwords. A password that is highly complex and therefore seemingly secure still has a drawback – it can be forgotten easily. People resort to writing down the password in a text file or on paper to remember it which consequently returns its security level to that of a simple password. The answer lies in creating security measures that authenticate against things other than something that you generate yourself and try to remember (a password.) The answer lies in what are called the Five Factors of Authentication.

Factor #1: What You Know

This factor includes anything that you can commit to your knowledge. Passwords themselves fall under this category. Another example of a ‘What You Know’ factor is a challenge-response question. These questions improve security by asking you a question with an answer defined by you during the setup process. The issue with this kind of authentication is that something that you know can easily be something that somebody else knows, or simply be found out through logic or hacking tools – and voila! Access to your private data becomes a 5-lane highway with multiple unauthorized people accessing your account.

Factor #2: Something You Have

What would be an improvement in security from something that you know (that other people may also know or learn?) Something that you have (physically) of course! It is virtually impossible to generate an identical hardware copy of a phone with the same phone number, or of a ‘hardware token’ that you might have received from your bank that displays a One-Time-Password (OTP) whenever you want to make a transaction. This factor steps up authentication to enable access only if you have a registered hardware device (OTPs can be sent your phone as well.) They improve security considerably as potentially hackers rarely share the same physical environment as their targets – but not always. This factor can be compromised if you lose your phone or hardware token – and in infrequent but advanced hacking attempts the OTPs can be intercepted while they are being sent. So, they are secure, but not secure enough…

Factor #3: Something You ARE

One of the highest levels of authentication security can be created through What You Are factors. Unless your love of the movie Minority Report borders on physical, one cannot really contest that a scan of the iris in your eye is indeed a foolproof way of securing accesses. What you are has to do with biometrics – facial recognition, voice recognition etc., or in other words something that simply cannot be divorced from your fundamental physical identity (unless, of course, you’ve watched Minority Report a few too many times!) This authentication factor is highly secure except for one fundamental flaw: the recognition is most often based on digital signatures which can be hacked like any other information and fed to the device to hack. A chain is only as strong as its weakest link, after all…

Factor #4: SomeWHERE You Are

Here address tracking technology such as MAC addresses and IP addresses are used to validate the authenticity or indeed even the plausibility of an access attempt. If you used your card an hour ago at an ATM on Sunset Boulevard in Miami Florida, a security system can quite effectively protect you from an attempt use your card in Seattle. It is obvious to the system that one of the authorization attempts is fraudulent and your account will get locked to prevent any further fraud. Geolocation isn’t the best authorization method to verify an access attempt, rather it locks down on unusual access attempts.

Factor #5: Something You DO

In 1991 Canadian music artist Bryan Adams left us all spellbound with his hit song, ‘Everything I Do, I Do it For You.’ The song really has nothing to do with what we’re talking about but we just really felt compelled to mention it…anyway, onwards to our last (till date) authentication factor! What makes a person unique? It is all these factors! What they know, what they have, where they are, and who they are! But there’s something else – your behavioral nuances – how you behave on a day to day basis with the things and people that you interact with. What’s the first app that you access on your phone after you switch it on 95% of the time? Which website do you check first thing every morning? Heck, what is that one song you simply can’t go a day without listening to? All this information can be analyzed with fifth-factor authentication and used to verify your identity on an ongoing basis. The field is called ‘Behavioral Biometrics’ and the technology is called ‘Machine Learning’ (your machine – phone, laptop, whatever, is learning about your unique behavioral characteristics in realm-time.) This is the most powerful factor of authentication available for 2 reasons: a) It is impossible to replicate all your nuances and b) since multitudes of behavioral metrics are analyzed, there is no singular attack point such as an iris scan or facial recognition. It is damn-near impossible to hack.

While one day someday, technology such as behavioral biometrics might replace passwords and hard tokens, right now the best-possible-protection includes a security system that utilizes a number of these factors. A system that asks for a password, then asks for an OTP to your phone or hardware token or does a quick iris scan, checks your location and finally keeps monitoring your behavior to check for something that doesn’t seem right offers the highest level of protection. Many Identity and Access Management solutions and tech devices are being rolled out with all these features. The future has come. And while there’s more to come, we think that what we have now is pretty damned cool!